2 Replies Latest reply on Jan 27, 2014 9:32 AM by pboedges

    McAfee ePO 5.1 setup

    andrei.duca

      Hi guys,

       

      I have set up in our Amazon environment 3 ePO servers version 5.1 and I'm struggling obtaining some reports that could provide me the following information:

       

      1.  Log file evidence of previous on access and on demand scans that are occurring.

      2.  Evidence of the on access and on demand policy enforcement for each servers managed by ePO.

      3.  Evidence of DAT file updates and the schedule for the indicated servers. 

      4.  Evidence of the policy for updating the definitions from McAfee and the schedule.

       

      First of all let me provide you some details about the current setup:

       

      We have 3 ePO servers that are managing Linux and Windows boxes using the VirusScan Enterprise 8.8 and VirusScan Enterprise for Linux 1.9.0 extensions. I have set up on-demand client tasks for full and memory scans and created some on access policies for them.

       

      Now there are a few problems that I’m currently facing and even though I’ve searched on the forums I didn’t find an answer to them…

       

      1. Where can I find the ePO server logs regarding the tasks created? For instance when I’m running a task by hand where does the server logs information about this? I’ve checked most of the log files in the ePO server but nothing will gave me some details if the task was completed or not.
      2. On demand tasks should store the logs locally based on a location defined by me. This should be done by writing on a local file e.g.C:\McAfeeLogs\OnDemandScanLog.txt but for some reason this file is not being created when I’m running the tasks by hand. Also it worth mentioning that the tasks are being ran using an active directory user with full administrator rights.
      3. Let’s say that everything works properly - on demand and on access scans are being done as scheduled (which apparently they are doing based on the CPU usage). What should I do for obtaining a report that could provide me the information listed at the beginning of this post? I saw that there is an extension for VirusScan Enterprise - VirusScan EnterpriseReports but from what I’ve seen there aren’t any data related toon-demand scans… So is this something that can be achieved using the ePO reporting tool? If not should I parse all the server logs stored locally for generating this report?

       

      There are a couple of other questions but for now if someone could help me with this I would really appreciate it.

       

      Thanks in advance for your help!

       

      Andrei

        • 1. Re: McAfee ePO 5.1 setup
          Peter M

          Community Interface wont get you product help, I have moved this to Business > ePO for better support.

          • 2. Re: McAfee ePO 5.1 setup
            pboedges

            1.  Log file evidence of previous on access and on demand scans that are occurring.

            • Create a Query for Client Threats for each scan type (On-Access/On-Demand) and filter based on the Event ID's listed here.
              • 1202: On-demand scan started
              • 1203: On Demand scan complete
              • 1087: On-access Scan started
              • 1088: On-access Scan stopped
              • 1118: The udpate was successful
              • 1123: The update failed
              • 1034: Scan completed. No viruses found
              • 1035: Scan was cancelled
              • 1036: Memory infected
              • 1037: Infected boot record found
              • 1038: Scan found infected files
              • 1039: Scan found and cleaned infected files

             

            2.  Evidence of the on access and on demand policy enforcement for each servers managed by ePO.

            • This you will need to collect from the target servers directly, this information can be viewed in the McAfee Agent log file.  Typically the file can be found in the following directory on Windows 2008+ servers C:\ProgramData\McAfee\Common Framework\DB\Agent_[Hostname].log or Agent_[Hostname]_backup.log

             

            3.  Evidence of DAT file updates and the schedule for the indicated servers.

            • Create a Query for Client Events and filter based on the Event ID's listed here.
              • 2401: Update Successful
              • 2402: Update Failed
              • 2411: Deployment Successful
              • 2412: Deployment Failed

             

            4.  Evidence of the policy for updating the definitions from McAfee and the schedule.

            • If you are looking for the logs which you can use to show that the ePO server is pulling the files from McAfee on a set schedule, they can be located on the ePO Server in the following directory: C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Logs\EpoApSvr_[Hostname].log.  In addition to this you can also filter the Server Task Log in ePO and export the information you need.
            • If you want to see what policy and/or client task is applied to your managed clients, you can run a query and select Policy Management.  The default results will show you the Computer Name of the managed system the Policy and the Source Server from where the policy was assigned.

             

            All the Event ID's can be viewed, selected, or deselected within the Event Filtering category in the Server Settings within ePO.  These control what events the agents send to the ePO server.

             

            Hope this helps.